The vulnerability is found in ‘load-scripts.php‘, a script in the WordPress core code that processes user defined requests. There is speculation by the Akamai SIRT that this vulnerability also can be found in ‘load-styles.php’, but we have not confirmed this attack vector.
These two script files are used to load web page content by searching for each file listed as a comma separated parameter, for example:
Where the .js file being load is jquery-ui-core. There are 181 .js scripts defined in script-loader.php that can be appended to the above string in order to load all 181 scripts in a single request. This doesn’t require any authentication and while a single request isn’t enough to cause too much load on a server, a script requesting many per second could be.
Akamai recommends using our rate control feature to block multiple requests from the same IP address specific to the load-scripts.php and load-style.php paths. A custom rule can also be created to limit the number of arguments passed to either of those scripts. Check with your Akamai account team on enabling a rule for your configuration.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Larry Cashdollar. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/PQr9xjNtgek/wordpress-dos-attack-cve-2018-6389.html